add test for SAN backwards compatibility with CLI

* new provisioner tokens always contain the crt.Subject.CommonName in the SANS attribute of the token claims. added tests that verifies backwards compatibility still works in cases where the token does not contain the subject as a SAN claim.
2026-01-27 10:18:34 +00:00 · 2019-02-01 12:24:21 -06:00
parent fe8c8614b2
commit ab78534b08
1 changed files with 33 additions and 0 deletions
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@@ -218,6 +218,39 @@ ZEp7knvU2psWRw==
 				status: http.StatusCreated,
 			}
 		},
+		"ok-backwards-compat-missing-subject-SAN": func(t *testing.T) *signTest {
+			jti, err := randutil.ASCII(32)
+			assert.FatalError(t, err)
+			cl := struct {
+				jwt.Claims
+				SANS []string `json:"sans"`
+			}{
+				Claims: jwt.Claims{
+					Subject:   "test.smallstep.com",
+					Issuer:    "step-cli",
+					NotBefore: jwt.NewNumericDate(now),
+					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Audience:  validAud,
+					ID:        jti,
+				},
+			}
+			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			assert.FatalError(t, err)
+			csr, err := getCSR(priv)
+			assert.FatalError(t, err)
+			body, err := json.Marshal(&api.SignRequest{
+				CsrPEM:    api.CertificateRequest{CertificateRequest: csr},
+				OTT:       raw,
+				NotBefore: now,
+				NotAfter:  leafExpiry,
+			})
+			assert.FatalError(t, err)
+			return &signTest{
+				ca:     ca,
+				body:   string(body),
+				status: http.StatusCreated,
+			}
+		},
 	}

 	for name, genTestCase := range tests {